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DETAILED ACTION 

1 . Claims 1 -1 7 and 1 9-27 remain for examination. The amendment filed 6/1 8/1 0 
amended claims 1, 20, 21, and 27. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 6/18/10 
has been entered. 

Response to Arguments 

3. Applicant's arguments filed 6/1 8/1 0 have been fully considered but they are not 
persuasive. Applicant primarily argues, 

Eitel teaches an invention where the cardinality of the full set of search results is 
measured. In Eitel, a search agent is uploaded to a website and executed. The agent 
performs searches that result in the production of search reports. After a search is 
performed, the agent counts the number of records in the search report for that search. 

[...] 

The passage cited by the Office shows that Eitel is concerned with how many records are 
contained in a search report ("web pages retrieved by the Internet search", per claim 1). 
Claim 1 , in contrast, is concerned with how many of the records in the search report 
("web pages retrieved by the Internet search", per claim 1) meet a specific condition 
("contain both the proposed password and the other string", per claim 1 ). 

Examiner disagrees, and respectfully submits that Applicant has misinterpreted 
the Eitel reference to an absurdly literal degree, as one of ordinary skill in the art would 
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have good reason to expect that a search engine would, by design, produce results 
comprising the various search terms being queried. To the best of Examiner's 
understanding, Applicant appears to assume that there any search engine that would be 
employed by Eitel, Wong, or anyone else simply churns out thousands of hits without 
any analysis whatsoever of whether said hits have any relevance to the query initially 
provided by the user, and that Eitel in particular uses only the number of hits as the sole 
determinant of whether it found a valid result; however, it should be immediately 
obvious from the references alone that this is not the case. As one non-limiting 
example, the Eitel invention is perfectly capable of analyzing the results produced by 
the search engine to determine if it has truly found what the user was looking for; see 
the example provided on col. 5, lines 40-60 wherein the Eitel invention can further 
scrutinize search results for new home listings to include only results where the prices 
fall within the range desired by the user. However, Wong actually provides the more 
pertinent example, as the Wong invention - or at least, that aspect of the Wong 
invention specifically cited by the Examiner - is specifically intended to search for a 
user's password by examining search results related to other strings such as but not 
limited to said user's personal information to see if said user's password can be found 
within said search results. It should be noted that in the unmodified default operation of 
the Wong invention, Wong does not actually know in advance what the password is that 
it should be looking for; the passwords that it is trying to guess are stored only in 
encrypted fashion (Wong, paragraph 0104), in accordance with techniques that are well 
known amongst those of ordinary skill in the art. So, when the search engine returns its 



Application/Control Number: 1 0/81 5,1 91 Page 4 

Art Unit: 2435 

results to the Wong invention, the Wong invention must examine each of the results 
returned to identify any other strings within said results that might be the user's 
password. In fact, it should be readily evident that the problem solved by this aspect of 
Wong is, if anything, a more difficult problem to solve than that accomplished by either 
the instant invention or P-Synch, as the latter two inventions have the added benefit of 
knowing in advance what the user's password would be prior to the step of determining 
if the password is a sufficiently strong password in accordance with the general 
knowledge of the art (e.g. see the rules for a strong password described in the 
previously cited SecurityStats.com reference). Thus, in view of the above, Examiner 
maintains that prior art, in searching for a person's password via a search engine, 
evaluates both the quantity and quality of the results for making its determination, rather 
than just the quantity as alleged by Applicant. 

Regarding the new limitation of claim 20, although the Examiner disagrees that 
the new limitation excludes consideration of the format of numbers as alleged by the 
Applicant, nevertheless Examiner observes that the techniques employed by Wong can 
discern the significance of a particular number, such as identifying that the number 
"010103" is actually used as a birthdate of a user, even in the absence of contextual 
clues from the formatting of said number (Wong, paragraph 0109). 

Claim Rejections - 35 USC § 103 

4. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 
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5. Claims 1 -1 6 and 1 9-27 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over"P-Synch Installation and Configuration Guide" (hereinafter, "P- 
Synch") in view of Wong (U.S. Patent Application Publication 2005/0102534) in view of 
Eitel (U.S. Patent 7,043,521). 

Regarding claims 1, 21, and 27: 

P-Synch discloses a method, apparatus, and article of manufacture for 
evaluating a password proposed by a user, comprising: receiving a proposed password 
from a user (page 4, "3. Users select a new password..."); and rejecting the proposed 
password based on a rule for the selection of passwords (page 4, "4. P-Synch checks 
the new password..."; cf. pages 124-126 for sample rules). 

P-Synch does not explicitly disclose performing an Internet search using a query 
containing one or more keywords derived from said proposed password, and rejecting 
the password based on the results returned by said search engine. However, it is 
observed that P-synch, while already possessing a defined set of rules to measure a 
proposed password's strength, can nevertheless be extended by allowing an admin to 
add new rules via a plug-in (page 127, section 10.19.1 "Adding new rules with a plug-in 
program"). In that vein, Wong discloses a related security auditing tool including inter 
alia functionality to test passwords according to various security criteria, said 
functionality in turn including inter alia querying one or more Internet search engines to 
determine if a password can be correlated to a user according to any number of criteria 
(paragraphs 01 08-01 1 0 and 01 27). It would have been obvious to one of ordinary skill 
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in the art to develop a plug-in for P-Synch that implements the above functionality 
disclosed by Wong's automated password cracker to determine if a proposed new 
password can be correlated to a user, as the technique is clearly within the capabilities 
of one of ordinary skill in the art. 

Although Wong discloses wherein his search-engine-employing password 
searcher may be recursively iterated to continue churning up multiple hits that could 
inadvertently reveal a user's password (paragraph 0110), it is unclear if this step is 
taken only when the previous queries failed to find the password or whether the system 
is trying to confirm that it has found one's password by finding multiple pages containing 
it. Nevertheless, Eitel discloses a related technique to be employed during a search for 
arbitrary information on the Internet wherein the search will fail if, for example, the 
search comprised too few hits to satisfy a pre-established threshold (col. 6, line 46 - col. 
7, line 3). It would have been obvious to one of ordinary skill in the art to set a minimum 
threshold for search hits for determining if the Wong plug-in has found one's password, 
as the technique is clearly within the capabilities of one of ordinary skill in the art, and 
one would have had a good reason to pursue the known options within one's grasp. If 
setting a minimum threshold for search hits would lead to anticipated success, it would 
be the product not of innovation but of ordinary skill and common sense. 

Regarding claims 2, 3, and 22: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether that said proposed password can be [qualitatively: the password is the 
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username; quantitatively: the password is similar to the username] correlated with said 
user (page 126, as indicated). 

Regarding claims 4, 6, 23, and 24: 

P-Synch in view of Wong further discloses wherein said proposed password is 
comprised of a proposed answer and a proposed hint (P-Synch: the user Q&A profiles 
on pages 83 and 199-200), and wherein the proposed answer can be correlated 
with/obtained from the proposed hint in a particular relation (Wong: pars. 0108-01 10). 

Regarding claim 5: 

P-Synch further discloses wherein said particular relation is selected from the 
group consisting essentially of self, family member, co-author, teammate, colleague, 
neighbor, community member, or household member (pages 83, 199, & 200). 

Regarding claims 7 and 25: 

P-Synch further discloses wherein said proposed password is an identifying 
number (e.g. PIN number, e.g. page 6, "2.2.2 Authentication Systems"). 

Regarding claims 8 and 26: 

P-Synch in view of Wong further discloses wherein the rule evaluates whether 
the identifying number identifies a person in a particular relationship to the user (P- 
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Synch: "Family member phone number that is not your own", pages 83 and 200; Wong: 
paragraph 0109). 

Regarding claim 9: 

P-Synch further discloses wherein said one or more pre-defined correlation rules 
evaluate whether said identifying number is a top N most commonly used identifying 
number (in the embodiment where the password is a PIN, the password history rules on 
pages 126 and 127). 

Regarding claim 10: 

P-Synch in view of Wong further discloses wherein the rule evaluates whether 
the identifying number identifies a top N commercial entity (P-Synch: "radio station dial 
number" at pages 83 and 200; Wong: paragraph 0109). 

Regarding claim 1 1 : 

P-Synch in view of Wong further discloses wherein the rule evaluates whether 
the identifying number identifies the user (P-Synch: "Your SSN", Ibid; Wong: Ibid). 

Regarding claims 12-14: 

P-Synch further discloses wherein said identifying number is a portion of a 
telephone number, address, or social security number (pages 83 and 200). 
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Regarding claim 15: 

P-Synch further discloses wherein said proposed password is a word (page 125, 
the dictionary rules). 

Regarding claim 16: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether a correlation between said word and said user exceeds a predefined 
threshold (e.g. the last two rules on page 125). 

Regarding claim 19: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a local proximity evaluation (e.g. the last two rules on 
page 125, and the variants of the username on page 126). 

Regarding claim 20: 

P-Synch and Wong further disclose wherein said step of ensuring a correlation 
further comprises the step of performing a number classification (Psynch: the digits 
rules on page 125), wherein the number classification identifies usage of one or more 
numbers found in a web page (Wong, paragraph 0109). 
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6. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over P-Synch 
in view of Wong in view of Eitel as applied to claim 1 above, and further in view of 
"About Metacrawler" (hereinafter, "Metacrawler"). 

Regarding claim 17: 

Although Wong suggests searching a plurality of search engines (paragraph 
0108), the references do not explicitly disclose using a meta-search engine. However, 
Metacrawler discloses a single meta-search engine capable of searching a plurality of 
search engines (Metacrawler, entire article, but particularly the first paragraph). It would 
have been obvious to one of ordinary skill in the art to substitute Metacrawler for the 
generic search engine(s) employed by the Wong invention/plug-in, as doing so would 
lead to better results obtained significantly faster than by searching each engine 
separately (Metacrawler, "Better Search, Faster Results"). 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: "Applied Cryptography, 2 nd Edition" by Bruce Schneier confirms 
that passwords have been typically stored in encrypted [hashed] fashion on computers, 
in such a manner that even with access to the password store on a computer one would 
not be able to discern the actual passwords from the encrypted versions. 
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8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thomas Gyorfi whose telephone number is (571)272- 
3849. The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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7/16/10 

/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



